- Security TWENTY
- Women in Security
The CCTV camera can work 24 hours and prevent and deter crime. However, thanks to poor cyber security, our sentinels watching over us may actually be the very route into our most treasured data, says Martin Wellsted, Regional Manager Northern Territory at network security product company EfficientIP.
The hostile takeover of CCTV cameras, routers, and DVRs via the Mirai botnet follows attacks on the cloud DNS provider Dyn and the French hosting service OVH in October 2016, according to a report by security journalist Brian Krebs. All were avoidable. The Mirai botnet exploits unprotected firmware in certain IoT devices and then quickly floods DNS servers, meaning users are not able to contact the services they provide. This is no small scale attack- in the case of OVH, the botnet compromised over 170,000 devices from around the world.
IoT, the new weak spot
What makes these attacks unique are their scale and their use of unprotected IoT devices, rather than compromised PCs. So, how can you defend your networks and users against attacks against consumer hardware which is designed to be simple to use? The answer is deep in the network layer. The first step is to build a hybrid DNS architecture to protect the DNS services you rely on. While DNS may not be the most visible line of defence, it is critical. More is better here. Switching to advanced DNS hardware that can manage very high traffic, as well as identify and block attacks is a great way to thwart hackers.
A good defence is important, but it is better to kill the problem at its root. The issue is consumer Internet services are hard to protect. They are designed to be open, and most users don’t take the hardware they’re using into consideration, never changing the default password and using a very basic firewall, if any.
The new role for ISPs
We can’t expect customers to use advanced network security or to keep their IoT hardware up to date. It can also be tricky for vendors to provide regular, appropriate patches which are easy to apply. Many are put off updating their IoT hardware when it can take over 20 minutes to update a lightbulb’s firmware. This all adds up to an increasingly hostile and hard-to-manage environment. The issue though is not just one for individual organisations. Internet Service Providers (ISP) are the ‘traffic cops’ of the internet. They need to take a stricter approach on securing their networks, with tighter controls around customer premises equipment (CPE) and for user networks. Common attacks patterns can be detected by hardware in their networks.
When compromised networks are detected, DNS security tools can use technologies like Internet Protocol Address Management (IPAM) to turn the customer’s CPE from an open network to a more restricted network. Doing this alone means organisations can filter out botnet command and control packets. Additionally, it can provide users with fast access to tools and techniques to help repair their network if compromised; supporting them in detecting and updating compromised hardware, and in turn disrupting the botnet structure.
Now we know
The above approach changes the relationship between the ISP and the customer, however, and some would see this as undue interference. Using this approach also means other ISPs at a regional level would need to be handled concurrently, and this may mean altering longstanding contracts between users and service providers.
If services and ISPs work collaboratively, an industry-wide approach to IoT updates and servicing can be made. Our solution then is fourfold:
– Advanced DNS services that are able to handle DDoS traffic
– Multiple DNS services for key services being used to ensure their continuity
– The use of a DNS security layer for CPE that is linked to attack pattern identification
– Consumer ISP quarantine services linked to easy update services for IoT hardware
Even with this approach, large-scale botnet DNS DDoS attacks such as Mirai cannot be prevented by any one single action. This internet-scale threat calls for service providers, consumers, hardware vendors, and ISPs to join forces to deliver a multi-faceted solution. At least though, we now know the inherent dangers of poor IoT security. Like a criminal caught in a CCTV image, we know ‘who’ they are…and we are coming to get them.